CVE-2025-36050
📋 TL;DR
IBM QRadar SIEM versions 7.5 through 7.5.0 Update Package 12 store sensitive information in log files that local users can read. This information disclosure vulnerability could expose credentials, configuration details, or other sensitive data. Organizations running affected QRadar versions are at risk.
💻 Affected Systems
- IBM QRadar SIEM
📦 What is this software?
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
⚠️ Risk & Real-World Impact
Worst Case
Local attackers gain access to administrative credentials, configuration secrets, or other sensitive data, potentially leading to full system compromise or lateral movement within the network.
Likely Case
Local users or attackers with limited access can read sensitive information from log files, potentially obtaining credentials or configuration details that could be used for further attacks.
If Mitigated
With proper access controls and log file permissions, only authorized administrators can access log files, limiting exposure to sensitive information.
🎯 Exploit Status
Exploitation requires local access to the QRadar system and ability to read log files.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply IBM QRadar SIEM 7.5.0 Update Package 13 or later
Vendor Advisory: https://www.ibm.com/support/pages/node/7237317
Restart Required: Yes
Instructions:
1. Download Update Package 13 or later from IBM Fix Central. 2. Follow IBM's QRadar update procedures. 3. Apply the update package. 4. Restart QRadar services as required.
🔧 Temporary Workarounds
Restrict log file permissions
linuxChange permissions on QRadar log directories to restrict access to authorized users only.
chmod 750 /var/log/qradar.log
chown root:root /var/log/qradar.log
Implement file integrity monitoring
allMonitor QRadar log files for unauthorized access attempts.
🧯 If You Can't Patch
- Implement strict access controls to limit who can access QRadar systems locally.
- Regularly audit and monitor access to QRadar log files for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check QRadar version via Admin interface or run: /opt/qradar/bin/qradar_versionsCheck Version:
/opt/qradar/bin/qradar_versionsVerify Fix Applied:
Verify version is 7.5.0 Update Package 13 or later using the same version check command.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to QRadar log files
- Suspicious file read operations on log directories
Network Indicators:
- N/A - Local vulnerability only
SIEM Query:
source='QRadar' AND (event_name='File Access' OR event_name='Permission Change') AND file_path LIKE '%/var/log/qradar%'